[Samba] Bind9 doesn't updated - TSIG error with server: tsig verify failure

Igor Sousa igorvolt at gmail.com
Sun Aug 11 01:36:51 UTC 2019 

Hi Rowland,

I've added 'dns update command' on global section of smb.conf file and I've
configured namesever on '/etc/resolv.conf' as 127.0.0.1 (I've tried with
'kings' IP address too), but I don't know if this has worked. I've seen
some dns updates errors on 'systemctl status samba-ad-dc' though the same
command has returned status 'Active (running)'. And I've use
'samba_dnsupdate', as I've mentioned previously, and I've received
'dns_tkey_negotiategss: TKEY is unacceptable' error and all entries have
had their dns update failed. I've read
https://wiki.samba.org/index.php/Dns_tkey_negotiategss:_TKEY_is_unacceptable
but I think my case doesn't match with described cases.

I've thought for a time to demote 'king' from 'SMB' and create a new DC to
join 'SMB'. I haven't done it because I've had no guarantees that this will
work.

OBS: I've used Cent OS7 with firewalld and SElinux disabled.

--
Igor Sousa

[root at king ~]# systemctl status samba-ad-dc -l
● samba-ad-dc.service - Samba Active Directory Domain Controller
   Loaded: loaded (/etc/systemd/system/samba-ad-dc.service; enabled; vendor
preset: disabled)
   Active: active (running) since Sat 2019-08-10 21:56:10 -03; 57s ago
 Main PID: 4761 (samba)
   Status: "smbd: ready to serve connections..."
   CGroup: /system.slice/samba-ad-dc.service
           ├─4761 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ├─4762 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ├─4763 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ├─4764 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ├─4765 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
           ├─4766 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ├─4767 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ├─4768 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ├─4769 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ├─4770 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ├─4771 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ├─4772 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ├─4773 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ├─4774 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ├─4775 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ├─4776 /usr/local/samba/sbin/samba --foreground
--no-process-group
           ├─4777 /usr/local/samba/sbin/winbindd -D --option=server role
check:inhibit=yes --foreground
           ├─4786 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
           ├─4787 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground
           └─4788 /usr/local/samba/sbin/smbd -D --option=server role
check:inhibit=yes --foreground

Aug 10 21:56:10 king samba[4775]:   /usr/sbin/samba_dnsupdate: Failed to
exec child - No such file or directory
Aug 10 21:56:10 king samba[4775]: [2019/08/10 21:56:10.070765,  0]
../../source4/dsdb/dns/dns_update.c:331(dnsupdate_nameupdate_done)
Aug 10 21:56:10 king samba[4775]:   dnsupdate_nameupdate_done: Failed DNS
update with exit code 255
Aug 10 21:56:10 king winbindd[4777]: [2019/08/10 21:56:10.742668,  0]
../../source3/winbindd/winbindd_cache.c:3165(initialize_winbindd_cache)
Aug 10 21:56:10 king winbindd[4777]:   initialize_winbindd_cache: clearing
cache and re-creating with version number 2
Aug 10 21:56:10 king winbindd[4777]: [2019/08/10 21:56:10.805712,  0]
../../lib/util/become_daemon.c:136(daemon_ready)
Aug 10 21:56:10 king winbindd[4777]:   daemon_ready: daemon 'winbindd'
finished starting up and ready to serve connections
Aug 10 21:56:10 king systemd[1]: Started Samba Active Directory Domain
Controller.
Aug 10 21:56:11 king smbd[4765]: [2019/08/10 21:56:11.230890,  0]
../../lib/util/become_daemon.c:136(daemon_ready)
Aug 10 21:56:11 king smbd[4765]:   daemon_ready: daemon 'smbd' finished
starting up and ready to serve connections

[root at king ~]# klist -k /usr/local/samba/bind-dns/dns.keytab
Keytab name: FILE:/usr/local/samba/bind-dns/dns.keytab
KVNO Principal
----
--------------------------------------------------------------------------
   1 DNS/king.smb at SMB
   1 dns-KING at SMB
   1 DNS/king.smb at SMB
   1 dns-KING at SMB
   1 DNS/king.smb at SMB
   1 dns-KING at SMB
   1 DNS/king.smb at SMB
   1 dns-KING at SMB
   1 DNS/king.smb at SMB
   1 dns-KING at SMB

[root at king ~]# ldbsearch -H /usr/local/samba/private/sam.ldb 'cn=dns-KING'
dn
# record 1
dn: CN=dns-KING,CN=Users,DC=smb

# Referral
ref: ldap://smb/CN=Configuration,DC=smb

# Referral
ref: ldap://smb/DC=DomainDnsZones,DC=smb

# Referral
ref: ldap://smb/DC=ForestDnsZones,DC=smb

# returned 4 records
# 1 entries
# 3 referrals

Em sáb, 10 de ago de 2019 às 12:30, Rowland penny via samba <
samba at lists.samba.org> escreveu:

> On 10/08/2019 16:05, Igor Sousa wrote:
> > Hi Rowland,
> >
> > Before to add 'dns update command = /usr/sbin/samba_dnsupdate
> > --use-samba-tool' I've tried once to run 'samba_dnsupdate --verbose
> > --all-names' and it has returned me TSIG error again. More precisely,
> > 'TSIG error with server: tsig verify failure'
>
> Just add the line and restart Samba and your problem should go away.
>
> Rowland
>
>
>
> --
> To unsubscribe from this list go to the following URL and read the
> instructions:  https://lists.samba.org/mailman/options/samba
>

More information about the samba mailing list